Home Tags Advanced Encryption Standard (AES)

Tag: Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES), also known as Rijndael (its original name), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers with different key and block sizes.

For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.

AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES), which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.

In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001. This announcement followed a five-year standardization process in which fifteen competing designs were presented and evaluated, before the Rijndael cipher was selected as the most suitable (see Advanced Encryption Standard process for more details).

AES became effective as a federal government standard on May 26, 2002 after approval by the Secretary of Commerce. AES is included in the ISO/IEC 18033-3 standard. AES is available in many different encryption packages, and is the first (and only) publicly accessible cipherapproved by the National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module (see Security of AES, below).

The name Rijndael (Dutch pronunciation: [ˈrɛindaːl]) is a play on the names of the two inventors (Joan Daemen and Vincent Rijmen).

‘You’ve been hacked, pay up’: Ransomware forces your PC to read...

Weirdly, it also lets Eastern Europeans go free Ransomware miscreants have developed a strain of malware that lets victims known that their computer has been encrypted verbally. The Cerber ransomware encrypts users' files using AES encryption before demanding an extortionate payment of 1.24 Bitcoins ($500) in order to supply a private key needed to decrypt files. The Windows-based malware first generates a series of fake system alerts in an attempt to persuade a victim into accepting a system shutdown. Once a machine reboots the malware begins encrypting documents' filename and adding a .CERBER extension to them. Currently, dormant features in the code allow the malware to map and encrypt files on network drives linked to a compromised machines. Once the file encryption process is finished, the malware generates three ransom notes. One of theses message services, through a VBScript, allows the computer to verbally read out the blackmail message to victims.

Twelve different languages are supported by the polyglot menace, which was first detected by two independent malware analysts nicknamed BiebsMalwareGuy and MeegulWorth. But the ransomware is deliberately programmed not to infect computers in eastern Europe. “The fact that Cerber has the ability to target network shares, not to mention its decryptor's compatibility with 12 difference languages, attests to the increasing sophistication of today's ransomware campaigns,” commented veteran security expert Graham Cluley in a blog post. “It is therefore recommended that users maintain regular backups of their data, that they avoid clicking on suspicious link, and that they maintain an updated anti-virus solution on their machines.” Web security forum BleepingComputer has a fuller write-up of the threat here. A video of the ransomware in action has been uploaded to YouTube here. The appearance of Cerber comes shortly after the arrival of the first example of Mac OS X ransomware.

The Mac nasty came bundled into downloads of the popular Transmission BitTorrent client, as previously reported. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy

First working Apple Mac ransomware infects Transmission BitTorrent app downloads

If you downloaded 2.90, you've got a few hours to get rid of it The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just before the weekend, you must upgrade to a clean version. Specifically, downloads of version 2.90 were infected with ransomware that will encrypt your files using AES and an open-source crypto library, and demand a payment to unscramble the documents. Transmission has millions of active users.
It is possible the app's website was compromised, and the downloads tampered with to include the KeRanger nasty. Those who have had files encrypted will be asked by the malware to cough up US$400 in Bitcoins, paid to a website hidden in the Tor network, to get their files back. "Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the Transmission authors posted on Sunday. Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software on Friday, and warned the Transmission team of the infection. The pair and a group of seven others from Palo Alto Networks detected the infiltration hours after miscreants somehow injected the malware into the downloads.

They noted that KeRanger is programmed to encrypt victims' files three days after the infected Transmission client is installed. The website warning Mac fans who installed Transmission for OS X 2.90 from the official website between March 4 and March 5 are probably at risk.

Those who upgrade to the latest clean and ransomware-free version of Transmission – version 2.92 – by Monday, 11am PT (7pm UTC) should avoid having their files encrypted. The malicious code has a process name of kernel_service, which can be killed, and it stores its executable in ~/Library/kernel_service, which should be deleted.

The latest safe version of Transmission, v2.92, includes a tool to remove the KeRanger ransomware. "On March 4, we detected that the Transmission BitTorrent installer for OS X was infected with ransomware, just a few hours after installers were initially posted," Xiao and Chen wrote. "As FileCoder (earlier Mac ransomware) was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform. "It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred." Attackers could potentially alter the ransomware through its command-and-control server so that KeRanger immediately encrypts files rather than lying in wait for a few days. KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system.

That means if an OS X system is configured to only run software from trusted developers, KeRanger will be allowed to start as it is signed by a developer cert.

Apple has added the ransomware's signature to OS X's XProtect mechanism, which screens downloads and blocks malicious code. KeRanger also contains other dormant features that could encrypt Mac TimeMachine backups preventing users from restoring their machines.

As an interesting aside, the malware's executable was smuggled in an .RTF README file within Transmission. ® Sponsored: Managing business risk

The return of HackingTeam with new implants for OS X

Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well.
Since HackingTeam implants are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor. Encryption key The main Backdoor component receives its payload instructions from an encrypted Json configuration file.
In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument. By following this code we were able to find the new key used to encrypt the configuration file. As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key.

By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine: What does the implant do? It takes screenshots It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file: It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted. It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard. It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired. Among other functionalities it also spies on the geolocation of the victim. It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015.

This indicates that this is a fresh HackingTeam Backdoor implant. For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on. Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d Reference samples hashes: 0eb73f2225886fd5624815cd5d523d08e2b81bed4472087dca00bee18acbce04 Command and control servers: 212[.]71[.]254[.]212

This is what it looks like when your website is hit...

Malware appears to have hijacked the British Association for Counselling and Psychotherapy (BACP)'s website – and held it to ransom. The front page of the site has been replaced with instructions on how to pay off the extortionists: $150 (£100) in Bitcoin must be coughed up by February 22, or the association's web data will remain scrambled forever. The malware, CTB-Locker, encrypts files on infected machines, and then demands payment for the decryption key. Without this key, the contents of the documents are useless. BACP, based in Leicester, describes itself as "the largest professional body representing counselling and psychotherapy in the UK," and is said to have more than 40,000 members. So far, the ransom has not been paid: the crooks' Bitcoin wallet is empty and no currency has been moved from it. What's puzzling to us is that CTB-Locker is known to be a Windows software nasty that is typically installed by accidentally opening a spam email attachment or browsing a malicious website. Yet, BACP.co.uk appears to be powered by Linux, probably kernel version 2.6.32 to 2.6.35. Right now, the web server has FTP, SSH, HTTP, HTTPS, RPCBIND, and MySQL services facing the public internet: the HTTP server says it's Apache 2.2.17 running on Fedora, and the SSH service says it's OpenSSH 5.4. Not all the files on the server have been encrypted – for example, the privacy policy page is still working – however some documents, such as an ethics framework, are scrambled (here's what that framework should look like). The hijacked front page reads: "Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site. Decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key." Owned ... the BACP website held to ransom (click to enlarge) It's entirely possible a Windows PC was infected at the association, website files on the machine were encrypted, and then the files were synchronized to the web server along with a replacement homepage. Mark this one down as at least one Linux-powered website taken down by CTB-Locker in one way or another – and pray CTB-Locker hasn't infected more of the psychotherapy body's computers. That would certainly need some counseling to recover from. For the curious, if you open the source code for the hijacked homepage, and scroll down to the end, you'll find URLs to three compromised websites that are hosting scripts that return, in JSON format, whether or not the victims have paid yet. So far, we're told, {"status":"not_payed"}. In happier times ... how the association's website should look A spokesperson for BACP was not available for immediate comment. ® Sponsored: Building secure multi-factor authentication

Study finds anti-encryption laws won’t work on an international stage

In response to attempts to put restrictions on encryption technology, a new report surveys 546 encryption products in 54 countries outside the United States, out of 865 hardware and software produc...

Yes or no: D@RE is a bonkers name for EMC’s enterprise...

With ECS v2.2, EMC has improved its storage efficiency, searchability and security, we're told. EMC's ECS (elastic cloud storage) is a software-defined, object-based cloud storage platform that can scale up to exabyte levels. The company launched ECS, previously known as Project Nile, in May, 2014. ECS 2.2 adds three things: Ability to search metadata across objects without a dedicated database. Increased storage density 33 per cent and storage efficiency 10 per cent. Data-at-rest-encryption (D@RE). ECS D@RE supports FIPS-140-2 Level 1 compliance using an AES 256-bit encryption algorithm. D@RE can be applied at the bucket or namespace level in the ECS portal or with the ECS Management API. Support at the object level is also available using the Amazon S3 SSE constructs. D@RE provides automated key management and encrypts inline and then stores the encrypted data on ECS storage media. Keys are segregated at the namespace level. User-supplied keys can be used with the S3 API. EMC pre-sales director Antonio Romeo says that searching an object store can often require developers to write their own search functions and insert them into the object store's fabric. This means "essentially using an external DB, maintain it, backup it, [and] keep it in sync with the object storage platform." With ECS v2.2, users can search metadata across potentially exabytes of unstructured data in the object store without a dedicated database. The developers enable user-defined metadata to be searched "via rest APIs especially suited for Internet of Things, mobile app and geo-distributed datasets." This is how it is done: in ECS 2.2, the ECS S3-compatible protocol automatically associates system metadata with an object and allows users to associate custom metadata with an object. The metadata is in the form of name-value pairs. The metadata search facility enables ECS to maintain an index of the objects in a bucket, based on their associated metadata, and allows S3 object clients to search for objects within buckets based on the indexed metadata, using a rich query language. The metadata fields for which search indexes will be maintained (search keys) are configured for a bucket from the ECS Portal, the ECS Management REST API, or the S3 REST API. ECS dashboard Another new feature is a single-pane-of-glass view that provides what EMC claims is a complete system health check. Romeo says "there are dozens of other updates in our latest release," but doesn't detail them. A v2.2 ECS Planning Guide [PDF] does, and here are some of them: Cold storage archives with less object storage overhead, meaning greater storage efficiency. HDFS – ECS HDFS is certified against Hadoop 2.7. Certified applications/components include HDFS, MapReduce, Yarn, Hbase, Hive, Pig and ZooKeeper. ECS supports SEC Rule 17a-4(f) standard for electronic record storage. The CAS query API is now automatically available for all CAS buckets. Tags in the form of name-value pairs can be assigned to a bucket using the ECS Portal or the ECS Management REST API, enabling object data stored in the bucket to be categorized. ECS object data is stored in chunks and chunks are broken into fragments based on an erasure coding (EC) scheme in order to improve storage efficiency. Geo copy to all sites. Read an ECS overview and architecture guide here [PDF]. ® Sponsored: Are you risking security with the cloud?

AppSense Releases DataNow Enhancements for Easy and Secure Windows 10 Migrations

DataNow Supports Windows 10, Delivers In-Location Sync, and Enables Shared Group Folders as Drive Letters Reading, UK., February 4, 2016 – AppSense, the global leader of secure user environment management (UEM) solutions, today announced the latest release of DataNow, a simple and secure file sync and migration solution. The latest release of DataNow extends support for Windows 10, features In-Location Sync and enables the use of Shared Group Folders as drive letters. Access to existing data is one of the biggest hurdles enterprises face when migrating to Windows 10. DataNow is the only file sync solution that delivers a completely native and seamless end user experience across any Windows environment leveraging any management or storage infrastructure. DataNow enables “just in time” granular sync from file and folder default locations, saving on storage, bandwidth and administration costs. Users don’t need to copy, move, monitor or redirect files to sync them. Files simply sync in the background, wherever they are located, without any user action. “Our employees’ workstyles vary from mobile to physical desktop, and DataNow ensures that all our data is consistently synced, no matter what the work scenario or device,” said AppSense US customer Omesh Pertob, Virtualisation Architect, City of Round Rock, Texas. “We look forward to offering them the same convenience when we migrate them to Windows 10 this year—and we won’t have to worry about losing any data when moving them over.”DataNow’s Shared Group Folders feature reinforces use of corporate drives and eliminates data sprawl and file search issues typical in many companies. To users, files on shared drives appear to reside on their local drive, even when mobile. “DataNow removes the risk from Windows 10 migration. When our customers migrate users to Windows 10, AppSense enables them to sync all files and settings data from a user’s laptop or desktop and make them instantly available on that user’s new Windows 10 device—without disrupting the user,” said Bassam Khan, Vice President of Product Marketing at AppSense.DataNow’s unique approach to secure data access and migration works with existing shares and servers to enable enterprises to deliver:Effortless Migration of User Files to Windows 10 and for Hardware Refresh – Files and folders follow the user and can be selectively synced, with instant access. Easy Access – Business users can access and work on files from anywhere at any time.Secure Access - DataNow secures data with 256-bit AES encryption as it is transferred between client devices and the DataNow appliance. Any files that users download to mobile devices are also encrypted on the device and can be wiped on-demand automatically or by an administrator based on contextual factors.Easy Configuration – IT can simply adopt DataNow and enable clients in minutes without changes to existing storage infrastructure or user profiles.Automatic Sync – Files and folders are continually synced in the background, so users do not need to copy, move, monitor, or redirect files.Simple File Management – IT can administer file access for business users via a virtual appliance.Native Folder Mapping – Now supported in Windows 10, native folder mapping allows users to continue to work with files in familiar locations like My Documents. Assured Regulatory Compliance – IT can control the sync of files and folders for compliant data retention.DataNow 3.6 with In-Location Sync, map points enabled as network drives and Windows 10 support is available now. For more information or to request a demo, please visit http://www.appsense.com/products/datanow/ About AppSenseAppSense is the leading provider of UEM solutions for the secure endpoint. AppSense user virtualization technology allows IT to secure and simplify workspace control at scale across physical, virtual and cloud-delivered desktops. AppSense solutions have been deployed by over 3,600 enterprises worldwide to 9 million endpoints. The company is headquartered in Sunnyvale, CA with offices around the world. For more information please visit www.appsense.com.###Media Contact:Sharon MundayOn Your Case Ltd for AppSense+77 87 566382sharon@onyourcase.co.uk Source: RealWire

‘Hopelessly insecure’ Motorola CCTV cameras belatedly patched

Security researchers have successfully hacked the Motorola Focus 73 outdoor security camera, using exploits that allowed them to gain access to the associated home network’s Wi-Fi password as a result.   White hats at Context Information Security were able to obtain full control of the camera’s pan-tilt-zoom controls as well as redirecting the video feed and movement alerts after hacking the IoT-enable camera. The research provides evidence that even IoT products from some of the biggest tech companies have security issues. The Motorola IP camera, manufactured by Binatone, offers cloud connectivity via the Hubble service, hosted by Amazon Elastic Compute Cloud. The facility allows customers to watch and control their cameras remotely as well as receive movement alerts through a free mobile app. Context researchers found that during set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with the username "camera" and password "000000". A number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product. As part of a deeper dive, the researchers obtained root access to the camera after discovering its password was a lamentable "123456". Further digging provided access to the home network Wi-Fi password in plaintext as well as factory wireless credentials for secure test networks and even more surprisingly, credentials for the developers’ Gmail, Dropbox and FTP accounts. The device's logs, accessible via the open web interface, also contained the AES encryption key for the remote control messages and FTP credentials for video clip storage. The wholly insecure setup allowed Context’s white hats to install their own malicious firmware because of the absence of security checks that would have questioned the validity of downloaded software. The camera uses the STUN (Session Traversal Utilities for NAT) protocol to run communications with the Hubble server and control the camera. Armed with the AES key, Context’s boffins were able to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot. Once they’d comprehensively pwned the camera, the researchers were able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips, normally only available to Hubble paying customers. Context researchers contacted Motorola Monitors in early October 2015 to pass on their findings. These queries were referred to Hubble, which has since taken steps to tighten up its security, after working with its partners Motorola, Binatone, Nuvoton and software developer CVision.  New firmware updates have been released to camera users by Hubble. The update process has reportedly been automated, so that the critical vulnerabilities in both outdoor and indoor Focus models have been mitigated without end users having to search for and apply downloads themselves. “Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed,” said Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras.” El Reg contacted Motorola’s PR reps and Hubble Connected (the latter via its Twitter feed) to seek comment. We’ll update this story as and when we hear more. A blog post by Context providing a detailed description of the exploits it developed and its investigation into the (in)insecurity of Motorola Focus 73 outdoor security camera and linked technology can be found here. ® Sponsored: Building secure multi-factor authentication

From Linux to Windows – New Family of Cross-Platform Desktop Backdoors...

Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them. DropboxCache aka Backdoor.Linux.Mokes.a This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots. After its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following locations: $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this: Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute: This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded public keys: The malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later it will upload collected data to the C&C. /tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.) /tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV) /tmp/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs) /tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data) DDMMyy = date: 280116 = 2016-01-28HHmmss = time: 154411 = 15:44:11nnn = milliseconds. This part of the code is able to capture audio from the victim’s box. However, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since the authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL (1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate the binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis. There are also references to the author’s source files: Apparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s metadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty Tahr”. According to the qt_instdate  timestamp, the last time the Qt sources were configured was on 2015-09-26 (qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of September 2015. We detect this type of malware as Backdoor.Linux.Mokes.a. OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a. After execution, the malware randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself: Then the corresponding registry keys are created in HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure persistence in the system. After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue. The next stage in its operation is to contact the hardcoded C&C server. Besides the different IP addresses and encryption key, we see almost identical behavior. However, this particular variant uses a slightly different implementation and tries to obtain the default Windows user-agent string. If this is not successful, the sample uses its hardcoded version: Like the Linux variant, it connects to its C&C server in the same way:  once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433. It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a keystroke logfile, located in %TEMP% and created by this sample: And again, we spotted some unexpected code. The following screenshot shows references to code which is able to capture images from a connected camera, such as a built-in webcam. Similar to the Linux version, the author left quite a number of suspicious strings in the binary. The following string is surprisingly honest. From the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a trusted certificate from “COMODO RSA Code Signing CA”. We detect this type of malware as Backdoor.Win32.Mokes.imv. What’s next Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future. Update (2016-02-01 10:45 UTC): We just got Backdoor.Win32.Mokes.imw. This is the first time we see a variant of Mokes, which comes with the audio capture module activated. The malware creates a new audio file every 5 minutes. IOCs Backdoor.Linux.Mokes.a c9e0e5e2aeaecb232120e8573e97a6b8 $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled$HOME/$QT-GenericDataLocation/.dropbox/DropboxCache$HOME/.config/autostart/profiled.desktop$HOME/.config/autostart/DropboxCache.desktop /tmp/ss0-$date-$time-$ms.sst Backdoor.Win32.Mokes.imv & .imw f2407fd12ec0d4f3e82484c027c7d149 (imw)91099aa413722d22aa50f85794ee386e (imv) %AppData%SkypeSkypeHelper.exe%AppData%Skypeversion%AppData%DropboxbinDropboxHelper.exe%AppData%Dropboxbinversion%AppData%GoogleChromenacl32.exe%AppData%GoogleChromeversion%AppData%GoogleChromenacl64.exe%AppData%GoogleChromeversion%AppData%MozillaFirefoxmozillacache.exe%AppData%MozillaFirefoxversion%AppData%Hewlett-Packardhpqcore.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpprint.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpscan.exe%AppData%Hewlett-Packardversion%AppData%AdobeAcrobatAcroBroker.exe%AppData%AdobeAcrobatversion %TEMP%aa$n-$date-$time-$ms.aat (imw)where $n is a decimal hash-value calculated from the soundcard’s name %TEMP%ss0-$date-$time-$ms.sst%TEMP%dd0-$date-$time-$ms.ddt%TEMP%kk$date.kkt HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%PERSISTENT-FILENAME%”, “%PERSISTENT-FILEPATH%” where %PERSISTENT-FILENAME% is one of the filenames aboveand %PERSISTENT-FILEPATH% is the corresponding path

The Advanced Encryption Standard (AES)

AES is a block cipher that will replace DES, but it is anticipated that Triple DES will remain an approved algorithm for U.S. Government...